On 10/27/2010 11:12 AM, Orion Poplawski wrote: > I'd be very interested to know what tools people are using to manage user > accounts in the directory server. Currently we are using a modified version > of fdstools because we have a Posix + Samba environment, but would be > interested in other solutions that may be out there. I use GIR (Generalized Identity Replicator)--originally developed with Sun DS about 8 years ago. It was designed initially as a meta-directory server integrating Oracle users, flat passwd updates for non-LDAP hosts, Netscape/Sun/Redhat DS, AD and more. It has very simple and easy to use user management. I just updated it and deployed it at a large government site. I believe there are some features newer to Fedora DS that it could use (like triggered updates), but right now it also handles things like groups and whatnot so AD sensitive applications also have the values they are looking for. It is OSS, and I need to release a new version. It is written in Perl, uses an Abstract API for easy extensibility of unique data stores (if you are into perl programming), has an encrypted message bus, so if something is down it'll keep retrying to make an update, etc. It uses a web front-end. Currently, one GIR system manages three discrete directory structures, and synchronizes accounts with AD (limited to just locked/disabled status for now). When you change a user's information/groups/etc in GIR it replicates to all directories (because we don't use passwords in AD it does not replicate there, but it could, if we did). http://sourceforge.net/projects/gir/ If you are interested in rolling up your sleeves, I could get you the 3.0 version. It should run without much effort in Redhat/Centos, just contact me offline. Oh, and because I'm still not happy with where FreeIPA is at yet, I actually have a simple, simple mechanism of creating a "host" computer account, and joining linux hosts using one account per host, instead of a general proxy account. There is a script "join-domain" that does all the LDAP config stuff, plus creates the host password (randomly generated) and inserts it into the tree. This largely came about because the built-in redhat auth scripts are broken when using only SSL with private CA certs, and I had to keep rewriting the ldap.conf file anyway, so why bother with the core OS stuff when it is broken. It is really just an interim solution until FreeIPA matures, but it is better than one generic proxy account for all hosts, and it is way better than anonymous binding (we also run our entire environment encrypted). -Brandon -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
